b' Oversight Review            September 21, 2011\n\n\n  Report on Hotline Allegation Regarding Lack of\nAgency Guidance on the Currency of Audit Testing in\n        the Defense Contract Audit Agency\n\n             Report No. D-2011-6-011\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at www.dodig.mil/audit/reports or contact the Office of the Assistant\nInspector General for Audit Policy and Oversight at (703) 604-8760 or fax\n(703) 604-8982.\n\nSuggestions for Future Reviews\nTo suggest ideas for or to request future reviews, contact the Office of the Assistant\nInspector General for Audit Policy and Oversight at (703) 604-8760 (DSN 664-8760), or\nfax (703) 604-8982. Ideas and requests can also be mailed to:\n\n                        Office of the Assistant Inspector General\n                             for Audit Policy and Oversight\n                        Department of Defense Inspector General\n                          400 Army Navy Drive (Room 833)\n                               Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nAICPA                         American Institute of Certified Public Accountants\nCAM                           Contract Audit Manual\nDCAA                          Defense Contract Audit Agency\nEVMS                          Earned Value Management System\nGAGAS                         Generally Accepted Government Auditing Standards\nGAO                           Government Accountability Office\nIG                            Inspector General\n\x0c\x0cReport No. D-2011-6-011 (Project No. D2010-DIP0AI-0117.000)                 September 21, 2011\n\n              Results in Brief: Hotline Allegation\n              Regarding Lack of Agency Guidance on the\n              Currency of Audit Testing in the Defense\n              Contract Audit Agency\n\n   What We Did                                         What We Recommend\n   We reviewed the DOD Hotline complaint               We recommend the DCAA Director develop\n   alleging that the Defense Contract Audit            written policy and guidance to ensure that\n   Agency (DCAA) lacks written guidance and            DCAA auditors comply with GAGAS by\n   agency-wide policy regarding the need to            obtaining sufficient evidence to provide a\n   perform current testing of data.                    reasonable basis for the conclusion that is\n                                                       expressed in audits of contractor business\n   What We Found                                       and internal control systems. Specifically,\n   We substantiated the allegation that DCAA           the agency-wide written policy and guidance\n   does not have any written guidance or               should require auditors to perform sufficient\n   agency-wide policy regarding the need to            testing of current data and testing of data\n   perform current testing of contractor data          generated by the system throughout the\n   during audits of contractor business systems.       period under audit. Further, the guidance\n   In addition, we found that each regional            should require auditors to perform retesting\n   office in DCAA has their own rule of thumb          or expand testing if the data tested is no\n   as to what they consider to be current audit        longer current.\n   testing and when retesting is required. We\n   found that the data tested by the auditor           Management Comments\n   from reports dated September 21, 2008, was          and Our Response\n   no longer current and did not meet the field        In responding to the June 20, 2011 draft of\n   work standard in generally accepted                 this report, the Director, DCAA agreed with\n   government auditing standards (GAGAS)               our     findings    and     recommendations.\n   which requires auditors to obtain sufficient,       Therefore, no additional comments are\n   appropriate evidence. It would be desirable         required. Please see the recommendations\n   to have written agency-wide audit policy            table on the following page.\n   and guidance from DCAA Headquarters to\n   ensure consistency among the regions and\n                                                                  United States Department of Defense\n   field audit offices, and to ensure that                            Office of Inspector General\n   auditors obtain sufficient evidence to                              Report No. D-2011-6-011\n                                                                 (Project No. D2010-DIP0AI-0117.000)\n   provide a reasonable basis for the conclusion                          September 21, 2011\n\n   that is expressed in the audit report.\n\n\n\n\n                                                   i\n\x0cReport No. D-2011-6-011 (Project No. D2010-DIP0AI-0117.000)   September 21, 2011\n\nRecommendations Table\n\n             Management                   Recommendations       No Additional\n                                          Requiring Comment   Comments Required\nDirector, Defense Contract Audit Agency                        1.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nIntroduction\n\n      Objective                                                     1\n      Background                                                    1\n\n\nFinding. Lack of Agency Guidance on the Currency of Audit Testing\n\n      Allegation                                                    3\n      Background                                                    3\n      Our Review                                                    4\n      Recommendation, Management Comments, and Our Response         7\n\nAppendix\n\n      Scope and Methodology                                         9\n\nManagement Comments\n\n      Defense Contract Audit Agency                                 10\n\x0cIntroduction\nObjective\nWe conducted this review to determine whether the complainant\xe2\x80\x99s allegation received by\nthe DOD Hotline could be substantiated. The complainant alleged that the Defense\nContract Audit Agency does not have any written guidance or agency-wide policy\nregarding the need to perform current testing of contractor data.\n\nSee Appendix A for details of our scope and methodology.\n\nBackground\n\nDefense Contract Audit Agency (DCAA)\nIn accordance with DOD Directive 5105.36, DCAA performs contract auditing and\nprovides accounting and financial advisory services in connection with the negotiation,\nadministration and settlement of contracts and subcontracts. DCAA operates under the\nauthority, direction, and control of the Under Secretary of Defense (Comptroller).\n\nOrganizationally, DCAA includes a Headquarters, Field Detachment, and five regions:\nCentral, Eastern, Mid-Atlantic, Northeastern, and Western. Each region has several field\naudit offices.\n\nGovernment Accountability Office (GAO)\nGAO issued two reports addressing the requirement that auditors perform sufficient\ntesting to express an opinion on the subject under audit, including one in July 2008 1 and\nthe other in September 2009. 2 These reports noted that generally accepted government\nauditing standards require auditors to perform sufficient testing and obtain sufficient\nevidence to express an opinion on the subject matter. The 2009 report found audit quality\nproblems at DCAA offices nationwide, including insufficient audit testing on its internal\ncontrol reviews. The report notes that DCAA\xe2\x80\x99s secondary objective on audits of\ncontractor systems and controls is to determine the degree of reliance that can be placed\non the contractor\xe2\x80\x99s internal controls as a basis for planning the scope of other related\naudits. The report found that 33 of the 37 internal control audits did not include\nsufficient testing of internal controls to support auditor conclusions and opinions. DCAA\nuses the results of contractor systems and internal control audits to assess risk and plan\nthe nature, extent, and timing of tests for other contractor audits and other assignments.\n\n\n\n\n1\n  Report No. GAO-08-857, \xe2\x80\x9cDCAA AUDITS: Allegations That Certain Audits at Three Locations Did Not\nMeet Professional Standards Were Substantiated,\xe2\x80\x9d July 22, 2008.\n2\n  Report No. GAO-09-468, \xe2\x80\x9cDCAA AUDITS: Widespread Problems with Audit Quality Require\nSignificant Reform,\xe2\x80\x9d September 23, 2009.\n\n\n\n                                                1\n\x0cGenerally Accepted Government Auditing Standards\nAs a Government audit organization, DCAA must comply with applicable generally\naccepted government auditing standards (GAGAS) issued by the Comptroller General of\nthe United States. GAGAS incorporates the standards issued by the American Institute of\nCertified Public Accountants. The DCAA Contract Audit Manual (CAM) prescribes\nauditing policies and procedures for performing audits in support of the DCAA mission.\nThe CAM incorporates GAGAS into its guidance.\n\nDOD Instruction 7600.2 dated April 27, 2007, \xe2\x80\x9cAudit Policies,\xe2\x80\x9d requires that all\nindependent audit and attestation engagements of DOD organizations, programs,\nactivities, and functions be conducted in accordance with GAGAS as issued by the\nComptroller General of the United States. GAGAS provides the framework for auditors\nto perform high-quality audit work with competence, integrity, objectivity, and\nindependence. Under GAGAS, auditors must prepare audit documentation in sufficient\ndetail to provide a clear understanding of the work performed, including the nature,\ntiming, extent, and results of audit procedures performed; the evidence obtained and its\nsource; and the conclusions reached. The audit documentation should contain support for\nthe report\xe2\x80\x99s findings, conclusions, and recommendations.\n\nGAGAS 6.04b requires the auditor to obtain sufficient and appropriate evidence to\nprovide a reasonable basis for the conclusion that is expressed in the report. The\nevidence provided in the report is more helpful if it is current.\n\n\n\n\n                                           2\n\x0cFinding\nLack of Agency Guidance on the Currency of Audit\nTesting\nWe substantiated the allegation that DCAA does not have any written guidance or\nagency-wide policy regarding the need to perform current testing of transactions during\naudits of contractor business and internal control systems.\n\nAllegation\nThe complainant alleged that DCAA lacks any written guidance or agency-wide policy\nregarding the \xe2\x80\x9ccurrency\xe2\x80\x9d of audit testing which is causing audit reports on contractor\nbusiness system reviews to be delayed as a result of retesting.\n\nBackground\nIn addressing the allegation, the auditor described an incident whereby he completed an\naudit of the contractor\xe2\x80\x99s earned value management system (EVMS) for compliance with\ncertain earned value management guidelines. During a review of the draft report in\nNovember 2009, the DCAA Eastern Region determined that the data reviewed by the\nauditor was not current and required the auditor to retest the data. The complainant\nalleged that the lack of written agency policy or guidance regarding the need to perform\ncurrent testing led the Eastern Regional Director to require retesting.\n\nThe auditor reviewed and tested the most current Contract Performance Reports dated\nSeptember 21, 2008 that were available at the time the audit started in December 2008.\nDuring the course of the audit, all transactions tested by the auditor came from the\nSeptember 21, 2008 reports. The auditor completed the audit in August 2009. The\nsupervisory auditor completed his review in November 2009 and submitted the draft\nreport for review to the DCAA Eastern Region Technical Programs Division.\n\nOn November 9, 2009, the Eastern Regional Technical Programs Specialist telephoned\nthe supervisory auditor and told him that she would like the auditor to perform \xe2\x80\x9ccurrent\xe2\x80\x9d\ntesting on more recent Contract Performance Reports. The auditor stated that he selected\nthe most current Contract Performance Reports available at the start of the audit. At that\ntime, no written guidance or policy related to a 6-, 9-, or 12-month testing policy existed.\nHowever, the data tested was no longer current by the time the audit was completed. To\nbe sufficient and current, evidence supporting the audit opinion should be reasonably\ncurrent as of the date of the audit report.\n\nThe Eastern Regional Technical Programs Specialist was concerned with the \xe2\x80\x9cage\xe2\x80\x9d of the\nContract Performance Reports and related transaction testing performed by the auditor.\nThe specialist noted in an email dated November 13, 2009 that the reports tested were\ndated September 21, 2008. The email stated that it is DCAA\xe2\x80\x99s position that testing in a\nsystem review be as current as possible. However, there is no written agency-wide policy\nregarding DCAA\xe2\x80\x99s position. In addition, the specialist stated that it is the Eastern\n\n\n                                             3\n\x0cRegional Director\xe2\x80\x99s position based upon discussions held in DCAA Executive Steering\nCommittee meetings that the data tested should be within a six- to nine-month period\nprior to the issuance of the audit report.\n\nOn November 16, 2009, a teleconference was held between the Regional Special\nPrograms and Resident Office. It was noted that there is no written policy that an audit\nreport must be issued six to nine months after the date of the data being audited in a\nsystem audit. The Eastern Regional Special Programs Manager requested that the auditor\nupdate the testing on the system findings to current Contract Performance Reports.\n\nOn November 17, 2009, a Program Manager from Headquarters, now retired, emailed the\nEastern Regional Technical Programs Specialist and said that the testing should be\nupdated if it is more than 12 months old.\n\nOn November 18, 2009, the Eastern Regional Director decided that the testing should be\nupdated for transactions that were tested and are older than nine months. As a result of\nthe lack of written agency policy or guidance, the Eastern Regional Director directed the\nauditor to perform additional testing and determine if the original deficiencies were still\nat issue. Subsequently the Regional Audit Manager advised the Resident Auditor that the\nopinion stated in the audit report cannot be based on testing performed on contractor\nContract Performance Report data from September 2008.\n\nOur Review\nWe obtained and reviewed the statements made by the auditor, Resident Office and\nRegional management, Eastern Regional Technical Programs Specialist, and the Director\nof the Eastern Region. Additionally we researched applicable regulations, DCAA\nContract Audit Manual (CAM), and DCAA agency policies. The complainant performed\nall of his testing from the Contract Performance Reports dated September 21, 2008. The\ndata tested was one year old by the time the complainant completed the audit. The\nauditor did not obtain sufficient evidence to provide a reasonable basis for the conclusion\nthat is expressed in the report. The evidence was not sufficient because the evidence was\nnot current. Therefore, the Eastern Region required the auditor to retest using current\ndata.\n\nWe substantiated the allegation that DCAA does not have written guidance or agency-\nwide policy related to the \xe2\x80\x9ccurrent\xe2\x80\x9d testing of data. We agree that the lack of written\nagency-wide policy or guidance regarding \xe2\x80\x9ccurrent\xe2\x80\x9d testing led the Eastern Regional\nDirector to make a decision that the auditor must perform additional testing. All resident\naudit office and regional office managers we interviewed stated that DCAA does not\nhave any guidance or agency-wide policy regarding the need to perform \xe2\x80\x9ccurrent\xe2\x80\x9d testing\nduring audits of contractor\xe2\x80\x99s internal control and business systems. The Chief, Technical\nPrograms Division from each DCAA region all agreed that guidance and agency-wide\npolicy from DCAA Headquarters is needed to regulate testing of current data to assist\nauditors in obtaining sufficient appropriate evidence to support conclusions in audits of\ncontractor internal controls and business systems.\n\n\n\n                                             4\n\x0cRegional Offices\nWe found that the lack of written guidance or agency-wide policy resulted in inconsistent\npractices among the DCAA regional offices. We contacted the Chief, Technical\nPrograms Division for each region. Each Chief stated that the data tested should be\ncurrent. However, the regions are using different criteria to determine when retesting\nwould be required before providing an opinion on the contractor\xe2\x80\x99s business or internal\ncontrol systems. We asked the Chief, Technical Programs Division from each region the\nquestion: \xe2\x80\x9cWhen would retesting be required because the data tested is too old to give an\naudit opinion on the business or internal control system?\xe2\x80\x9d We received inconsistent\nanswers as noted in Table 1 (below).\n\n                    Table 1. Region Responses on Data Retesting\n               Region         Retesting would be required if the data tested\n                                   were older than the following period\n         Eastern                 Older than 9 months\n         Northeastern            Older than 12 months\n         Central                 Older than 6 months\n         Western                 Older than 12 months\n         Mid-Atlantic            Older than 9 months\n         Field Detachment        Older than 9 months\n\nThe lack of written guidance and agency-wide policy from DCAA Headquarters has\ncreated inconsistent treatment among the five regions and the Field Detachment. All\nregions agree that an opinion must be provided based on data that is relatively current.\nWritten guidance and policy from DCAA Headquarters is expected; but, no written\npolicy has been provided. Written guidance and agency-wide policy would advise\nauditors of the requirement to perform \xe2\x80\x9ccurrent\xe2\x80\x9d testing to obtain sufficient evidence to\nprovide a reasonable basis for the conclusion that is expressed in the report.\n\nHeadquarters\nThe Chief, Auditing Standards Division, DCAA Headquarters acknowledged that DCAA\ndoes not have a written policy stating a specific time frame beyond which testing in\naudits of contractor business systems would be considered outdated. Based on current\nDCAA policy, audit reports on contractor systems are relied on by DCAA as a basis for\nassessing control risk in related audits for a period of two to four years assuming no\nchanges to the system. DCAA Headquarters believes that the appropriate exercise of\nprofessional judgment would generally dictate that to be sufficient and appropriate, the\nevidence supporting the audit opinion should be reasonably current as of the date of the\naudit report. As a general rule, when DCAA Headquarters receives questions regarding\nthis issue, they advise regions and field audit offices that testing should generally be no\nmore than 9 to 12 months old when the audit report is issued. However, DCAA\nHeadquarters has not provided any written guidance or policy on the subject.\n\n\n\n\n                                             5\n\x0cDCAA Memorandum for Regional Directors (09-PAS-020(NR)), dated October 9, 2009,\nstated that new guidance is expected to be issued in the second quarter of FY 2010 for\naudits of contractors\xe2\x80\x99 billing systems and audits of contractors\xe2\x80\x99 control environment and\noverall accounting systems. We are not aware that DCAA Headquarters issued any new\nguidance as mentioned in this memorandum.\n\nApplicable Criteria\nIn performing its audits, DCAA states that it follows generally accepted government\nauditing standards (GAGAS). GAGAS 1.23a covering examination-level engagements\nrequire that auditors obtain sufficient, appropriate evidence to provide a reasonable basis\nto express an opinion on whether the subject matter is based on (or in conformity with)\nthe criteria in all material respects. Also, GAGAS 6.04b requires the auditor to obtain\nsufficient evidence to provide a reasonable basis for the conclusion that is expressed in\nthe report. The evidence provided in the report is more helpful if it is current.\n\n   \xe2\x80\xa2   The Government Accountability Office (GAO) Report GAO-09-468 found that\n       33 of 37 internal control audits it reviewed did not include sufficient testing of\n       internal controls to support auditor conclusions and opinions. The GAO found\n       that an auditor tested only two, three, or sometimes five transactions to support\n       audit conclusions. In another instance, an auditor tested four vouchers that were\n       all processed on the same day out of the 8-month period covered by the audit.\n\nThe GAO report states, for internal control audits which are relied on for 2 to 4 years and\nsometimes longer, the auditors would be expected to test a representative selection of\ntransactions across the year and not transactions for just one day, one month, or a couple\nof months. An auditor should use a population covering a 12-month period if the\nassignment is designed to cover a 1-year period.\n\nFurther, the GAO report found that 6 of the 37 audit reports were not issued at the time\nthe work was completed. Because testing was not updated or was not sufficiently\nupdated, the reported audit opinions which related to controls at the time the reports were\nissued, were not adequately supported and may have been inaccurate. GAO\nrecommended that DCAA revise DCAA audit policy and update DCAA\xe2\x80\x99s CAM as\nappropriate, to provide appropriate guidance on what constitutes sufficient testing to\ncomply with GAGAS.\n\nThe complainant, in providing an opinion on the contractor\xe2\x80\x99s EVMS, reviewed only those\nContract Performance Reports dated September 21, 2008. The complainant had 17\nfindings and prepared a 90-page audit report. He reviewed 13 earned value management\nguidelines on two different earned value management systems at Northrop Grumman\nNaval Shipyard. One system is on the nuclear aircraft carrier and the other system is on\nthe nuclear submarine. The complainant audited the Contract Performance Reports\nissued on both systems. The draft report was sent to the Eastern Region for review in\nNovember 2009. As a result, the Eastern Regional Director required the auditor to update\nthe testing to review current contract performance reports. We do not disagree with the\nRegional Director\xe2\x80\x99s decision. The auditor should have tested a representative selection of\n\n\n                                             6\n\x0ctransactions across the year and not just transactions from reports issued on just one day.\nWe observed that for very large projects such as this, the data tested will never be current\nunless such audits are scoped and resourced adequately. This particular audit only had\ntwo auditors assigned. Cost Performance Reports are submitted monthly for the nuclear\naircraft carrier and are submitted quarterly for the nuclear submarine. The data tested by\nthe auditor was not current and did not consist of sufficient appropriate evidence to\nprovide a reasonable basis for the audit conclusion.\n\nWe substantiated the complainant\xe2\x80\x99s allegation that there is no written agency-wide policy\nor guidance regarding the need to perform testing of \xe2\x80\x9ccurrent\xe2\x80\x9d data to support an opinion\nof the contractor\xe2\x80\x99s system. We recommend that DCAA Headquarters develop written\nagency-wide policy and guidance on the need to test current data to support opinions on\nthe contractor\xe2\x80\x99s internal controls and business systems. The policy and guidance should\ninclude criteria when the auditor should expand testing and perform additional work.\n\n\nRecommendation, Management Comments, and Our\nResponse\n1. We recommend that the Director, Defense Contract Audit Agency,\n\n       Develop written policy and guidance to ensure DCAA auditors comply with\n       generally accepted government auditing standards by obtaining sufficient\n       evidence to provide a reasonable basis for the conclusion that is expressed in\n       audits of contractor\xe2\x80\x99s internal controls and business systems. Specifically,\n       the written policy and guidance should include the requirement for auditors\n       to perform:\n\n                   (a) Sufficient testing of current data.\n\n                   (b) Testing of data generated by the system throughout the period\n                   under audit.\n\n                   (c) Retesting or expand testing if the data tested is no longer\n                   current.\n\nManagement Comments\nThe Director concurred. By November 2011, DCAA will issue guidance, which will\ninclude the requirement for auditors to (i) perform sufficient testing of data that is\nrelevant to the audit objectives, including the period or point in time covered by the\nreport, (ii) perform testing of data generated by the system throughout the period under\naudit, and (iii) issue timely audit reports. For audits of contractor business systems,\nDCAA will perform compliance attestation engagements and report on the contractor\xe2\x80\x99s\ncompliance during a period of time or as of a point in time, consistent with the applicable\nattestation reporting standards (AT 601.55b) in AICPA\xe2\x80\x99s Statements on Standards for\nAttestation Engagements. Circumstances where auditors would need to expand testing to\n\n\n                                             7\n\x0cobtain sufficient evidence for the conclusions expressed in the report should be limited\nsince the transactions being evaluated in the audit will coincide with the defined period\ncovered by the audit. DCAA agrees with the guidance in GAGAS A8.02g, that the\nevidence provided in the report is more helpful if it is current and, therefore, timely\nissuance of the report is an important reporting goal for auditors.\n\nOur Response\nThe comments are responsive and no further comments are required. We will monitor\nthe effectiveness of the new guidance and the timeliness of audit reports. The timely\nissuance of audit reports on contractor business systems is essential to the success of the\nnew agency policy. Audits of contractor business systems should be current and audit\nreports on contractor business systems should be issued timely to protect the taxpayer\xe2\x80\x99s\ninterests.\n\n\n\n\n                                             8\n\x0cAppendix. Scope and Methodology\nThe review was conducted in accordance with the Council of the Inspectors General on\nIntegrity and Efficiency \xe2\x80\x9cQuality Standards for Inspection and Evaluation.\xe2\x80\x9d To\ndetermine the validity of the Hotline complaint addressed in this report, we:\n\n    \xe2\x80\xa2   interviewed the complainant, Eastern Region\xe2\x80\x99s supervisor, resident auditor,\n        regional audit manager, and regional technical programs specialist, and obtained\n        additional documents related to the complaint;\n\n    \xe2\x80\xa2   obtained inquiry from Headquarters and Regional offices, DCAA;\n\n    \xe2\x80\xa2   reviewed applicable DCAA policies and procedures, such as the Defense\n        Contract Audit Manual, and audit programs; and\n\n    \xe2\x80\xa2   reviewed applicable GAGAS.\n\nWe performed this review from April 2010 through May 2011.\n\n\nUse of Computer-Processed Data\nWe did not rely on any computer-processed data as part of our review.\n\n\nPrior Coverage\nDuring the last 5 years, the GAO and the Department of Defense Inspector General\n(DOD IG) have issued 3 reports related to the requirement that DCAA auditors perform\nsufficient testing to express an opinion on the subject under audit. Unrestricted GAO\nreports can be accessed over the Internet at http://www.gao.gov. Unrestricted DOD IG\nreports can be accessed at http://www.dodig.mil/audit/reports.\n\nGAO\nReport No. GAO-09-468, \xe2\x80\x9cDCAA Audits: Widespread Problems with Audit Quality\nRequire Significant Reform,\xe2\x80\x9d September 23, 2009\n\nReport No. GAO-08-857, \xe2\x80\x9cDCAA Audits: Allegations That Certain Audits at Three\nLocations Did Not Meet Professional Standards Were Substantiated,\xe2\x80\x9d July 22, 2008\n\n\nDOD IG\nReport No. D-2009-6-009, \xe2\x80\x9cDefense Contract Audit Agency Audit Work Deficiencies\nand Abusive Work Environment Identified by the Government Accountability Office,\xe2\x80\x9d\nAugust 31, 2009\n\n\n\n\n                                            9\n\x0cDefense Contract Audit Agency Comments\n\n\n\n\n                    10\n\x0c11\n\x0c12\n\x0c\x0c'